inou/api/api_dossiers.go

package main

import (
	"encoding/json"
	"errors"
	"net/http"

	"inou/lib"
)

func handleDossiers(w http.ResponseWriter, r *http.Request) {
	ctx := getAccessContextOrFail(w, r)
	if ctx == nil {
		return
	}

	LogMCPConnect(ctx.AccessorID)

	// Use RBAC-aware function that returns only accessible dossiers
	dossiers, err := lib.DossierListAccessible(ctx)
	if err != nil {
		if errors.Is(err, lib.ErrAccessDenied) || errors.Is(err, lib.ErrNoAccessor) {
			http.Error(w, "Forbidden: invalid or unauthorized accessor", http.StatusForbidden)
			return
		}
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	var result []map[string]string
	for _, d := range dossiers {
		result = append(result, map[string]string{
			"id":   d.DossierID,
			"name": d.Name,
		})
	}

	w.Header().Set("Content-Type", "application/json")
	json.NewEncoder(w).Encode(result)
}